Lucene search
+L

11330 matches found

CVE
CVE
added yesterday17 views

CVE-2026-46377

CVE-2026-46377 (Dasel) : A bug in the escape sequence handling of the selector lexer causes an index-out-of-range panic when a trailing backslash is inside a quoted string. The issue resides in parseCurRune where a backslash path increments pos and then reads p.src[pos] without a bounds check. Af...

6.2CVSS6.1AI score0.00052EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday63 views

Astro Cloudflare Adapter - Server Side Request Forgery

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...

7.2CVSS6.1AI score0.00773EPSS
Exploits1References3
NVD
NVD
added 2 days ago9 views

CVE-2026-62314

Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. From 1.22.0 until 1.26.0-pre1, lib/policy/checker.go PathChecker.Check trusted the client-controlled X-Original-URI header before matching r.URL.Path, allowing an HTTP...

5.8CVSS0.0027EPSS
Exploits0References4
CVE
CVE
added 2 days ago42 views

CVE-2026-49352

CVE-2026-49352 affects 9router, a Node.js/Next.js AI router. The vulnerability stems from a hardcoded fallback JWT secret, implemented as the public string 9router-default-secret-change-me, used when JWT_SECRET is unset in multiple files. An attacker can forge a valid auth_token cookie and gain a...

9.8CVSS6.1AI score0.00601EPSS
Exploits1References3
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-52870 MCP Python SDK: Experimental task handlers allow any client to access and cancel other clients' tasks

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. From 1.23.0 until 1.27.2, default handlers installed by server.experimental.enabletasks for tasks/list, tasks/get, tasks/result, and tasks/cancel operate only on task identifiers without recordin...

7.6CVSS0.00227EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-1563 Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scripting XSS vulnerability in a user interface component. Requires a high privileged user with a developer role...

4.8CVSS0.00304EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-44727

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scripting XSS vulnerability in a user interface component. Requires a high privileged user with a developer role...

4.8CVSS6.1AI score0.00304EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-1562 Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting XSS vulnerability in a user interface component. Requires a high privileged user with a developer role...

4.6CVSS0.00304EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago37 views

CVE-2026-57831 Joomla Extension - digital-peak.com - Unauthenticated blind SQL injection in DP Calendar 8.18.0 - 10.11.2

The Joomla extension DP Calendar is vulnerable to an unauthenticated SQL injection...

8.7CVSS0.00237EPSS
Exploits0References1
OSV
OSV
added 3 days ago3 views

CVE-2026-46627 Twig: Sandbox resource exhaustion via unbounded `for` / `range()`

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenti...

7.1CVSS6.1AI score0.00385EPSS
Exploits0References5
Cvelist
Cvelist
added 3 days ago34 views

CVE-2026-46627 Twig: Sandbox resource exhaustion via unbounded `for` / `range()`

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource exhaustion. This issue is addressed in version 3.26.0 by documenti...

7.1CVSS0.00385EPSS
Exploits0References3
CVE
CVE
added 3 days ago17 views

CVE-2026-46627

CVE-2026-46627 concerns Twig, a PHP template engine. Before 3.26.0, Twig’s sandbox does not prevent a template from consuming CPU, memory, or wall-clock time even with an allow-list, allowing resource exhaustion via unbounded for/range usage. The issue is mitigated in version 3.26.0, which docume...

7.1CVSS6.1AI score0.00385EPSS
Exploits0References3Affected Software1
CVE
CVE
added 3 days ago21 views

CVE-2026-47732

Twig Sandbox: multiple __toString() policy bypasses via unguarded string coercion points existed prior to 3.26.0, enabling string coercion of Stringable operands through various constructs (conditional expressions, matches operator, loose comparisons, tests, template-loading tags, dynamic attribu...

7.1CVSS6.1AI score0.0036EPSS
Exploits0References3Affected Software1
NVD
NVD
added 3 days ago4 views

CVE-2026-48038

joi is a schema description language and data validator for JavaScript. Prior to 17.13.4 and 18.2.1, denial of service is possible via an untrapped exception in services validating user-supplied JSON or object input with recursive link schemas. When validate is called without try/catch in a reque...

5.3CVSS0.00301EPSS
Exploits0References4
OSV
OSV
added 3 days ago3 views

CVE-2026-48038 joi: Uncaught RangeError on deeply nested input through recursive `link()` schemas

joi is a schema description language and data validator for JavaScript. Prior to 17.13.4 and 18.2.1, denial of service is possible via an untrapped exception in services validating user-supplied JSON or object input with recursive link schemas. When validate is called without try/catch in a reque...

5.3CVSS6.1AI score0.00301EPSS
Exploits0References6
CVE
CVE
added 3 days ago36 views

CVE-2026-48038

Joi (JavaScript) vulnerability CVE-2026-48038: In versions prior to 17.13.4 and 18.2.1, validation of deeply nested user input via recursive link() schemas can trigger an unhandled RangeError when validate() runs without try/catch, potentially crashing the process. Fixed in 17.13.4 and 18.2.1. CV...

5.3CVSS6.1AI score0.00301EPSS
Exploits0References4
NVD
NVD
added 3 days ago7 views

CVE-2026-50367

Incorrect access of indexable resource 'range error' in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally...

7.8CVSS0.00245EPSS
Exploits0References1
Microsoft CVE
Microsoft CVE
added 3 days ago8 views

Windows Sensor Data Service Elevation of Privilege Vulnerability

Incorrect access of indexable resource 'range error' in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally...

7.8CVSS6.1AI score0.00245EPSS
Exploits0
OSV
OSV
added 3 days ago3 views

CVE-2026-15305 TYPO3 CMS - Unrestricted File Upload in Form Framework

Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties...

6.3CVSS6.2AI score0.00174EPSS
Exploits0References7
CVE
CVE
added 3 days ago8 views

CVE-2026-15305

The CVE affects TYPO3 CMS versions 14.2.0–14.3.5. Root cause: MimeTypeValidator is registered during form building before concrete form definition properties are applied, so the server-side enforcement of allowedMimeTypes is bypassed and users can upload files with arbitrary MIME types via FileUp...

6.3CVSS6.2AI score0.00174EPSS
Exploits0References3
Rows per page
Query Builder